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CCNA Security Lab 11 - Catalyst Switch 802.lx security - CLI 

Lab 11 

Catalyst Switch 802.lx Security 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how enable 
802.lx authentication on Cisco IOS Catalyst switches. 

Lab Purpose: 

802.lx is used to provide Catalyst switch access port security by authenticating 
users before allowing them to pass traffic through ports on Cisco IOS Catalyst 
switches. 

Lab Difficulty: 

This lab has a difficulty rating of 7/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use any single switch to complete this lab: 



This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs 
GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges 
used in this lab with those available on your switch. For example, if you only have 12-10/100 
FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that 
you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the 
GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute 
GigabitEthernetO/1 and GigabitEthernetO/2 with FastEthernetO/11 and FastEthernetO/12, for example. 


In addition to this, the RADIUS server is not required. It is depicted here for the purposes of being 
thorough! RADIUS server configuration is beyond the scope of this course. 













Lab 11 Configuration Tasks 
Task 1: 

Configure the hostname on Swl as illustrated in the diagram. In addition to this, configure the following 
VLANs on Swl: 

VLAN Number VLAN Name VLAN Ports 

2020 802-1X-VLAN FastEthernetO/1 - FastEthernetO/24 

In addition to this, configure interface VLAN 2020 on Swl and assign the interface and IP address of 
192.168.1.1/24. Verify your configuration. 

Task 2: 

Configure user catalyst with a password of security on Swl. This user should have Level 15 access 
privileges on the switch. Configure a secret password on Swl of security. 

Task 3: 

Configure Authentication on Swl so that all users are authenticated against the local database. In 
addition to this, enable access should use the enable secret for authentication. 

Task 4: 

Configure 802.lx authentication on ports FastEthernetO/1 — 24 on Swl. 802.lx authentication will be 
performed by a RADUIS server with the IP address 192.168.1.254. This RADIUS server should use the 
password dotlx for authentication. Verify your configuration. 

Lab 11 Configuration and Verification 
Task 1: 

To complete this Task, you will need to enable VTP Transparent mode so that you can configure 
extended range VLANs on the switch. 

Switch(config)#hostname Swl 

Swl(config)#vtp mode transparent 

Setting device to VTP TRANSPARENT mode. 

Swl(config)#vlan 2020 

Sw 1 (config-vian)#name 802-1X-VLAN 

Swl(config-vlan)#exit 

Swl(config)#interface range fastethernetO/1 - 24 

Swl(config-if-range)#switchport mode access 

Swl(config-if-range)#switchport access vlan 2020 

Swl(config-if-range)#no shutdown 

Swl(config-if-range)#exit 

Swl(config)#interface vlan 1 

Sw 1 (co nfig -if)#shutdown 

Swl(config-if)#exit 



Swl(config)#interface vlan 2020 

Swl(config-if)#no shutdown 

Swl(config-if)#ip address 192.168.1.1 255.255.255.0 

Sw 1 (co nfig -if)#exit 
Swl(config)#exit 
Sw 1# 

Sw 1# 

Swl#show vlan brief 


VLAN Name 

Status 

Ports 

1 default 

active 

Gi0/1, GiO/2 

1002 fddi-default 

active 


1003 trcrf-default 

active 


1004 fddinet-default 

active 


1005 trbrf-default 

active 


2020 802-1X-VLAN 

active 

Fa0/1, Fa0/2, FaO/3,FaO/4 


FaO/5, FaO/6, FaO/7, FaO/8 
Fa0/9, Fa0/10, Fa0/11, Fa0/12 
FaO/13, FaO/14, FaO/15, FaO/16 
FaO/17, FaO/18, FaO/19, Fa0/20 
FaO/21, FaO/22, FaO/23, FaO/24 

Sw 1# 

Swl#show interface vlan 2020 
Vlan2020 is up, line protocol is up 

Flardware is CPU Interface, address is 000d.bd06.4100 (bia 000d.bd06.4100) 

Internet address is 192.168.1.1/24 

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usee, 
reliability 255/255, txload 1/255, rxload 1/255 
Encapsulation ARPA, loopback not set 
—[Truncated Output]— 

NOTE: Keep in mind that if you have no active ports in VLAN2020 that are up, interface VLAN2020 will 
show a down/down status. This is normal behavior. 


Task 2: 

To successfully complete this Task, keep in mind that switches have 16 VTY lines. 




Sw l(config)#username catalyst privilege 15 secret security 
Sw l(config)#enable secret security 

Swl(config)#exit 
Sw 1# 

Task 3: 

Swl(config)#aaa new-model 

Swl(config)#aaa authentication login default local 
Sw l(config)#aaa authentication enable default enable 

Sw l(config)#line vty 0 15 

Swl(config-line)#login authentication default 

Sw l(config-Iine)#exit 
Sw l(config)#exit 
Sw 1# 


Task 4: 

Keep in mind that because there is no actual RADIUS server and any hosts you may have connected to 
your switch are not configured for 802.lx authentication, we will not see any authenticated host 
information on the switch. 

Sw l(config)#aaa authentication dotlx default group radius 
Sw l(config)#aaa authorization network default group radius 
Swl(config)#radius-server host 192.168.1.254 key dotlx 
Swl(config)#interface range fastethernetO/1 - 24 
Swl(config-if-range)#dotlx port-control auto 
Swl(config-if-range)#exit 
Sw l(config)#exit 
Sw 1# 


Swl#show dotlx interface fastethernetO/1 

802.IX is enabled on FastEthernetO/1 
Status Unauthorized 

Port-control Auto 

Supplicant Not set 

Multiple Hosts Disallowed 
Current Identifier 0 


Authenticator State Machine 
State INITIALIZE 


Reauth Count 


0 



Backend State Machine 


State INITIALIZE 

Request Count 0 
Id e ntifie r (Se rve r) 0 

Reauthentication State Machine 
State INITIALIZE 

Swl# 

Swl# 

Swl#show dotlx statistics interface fastethernet 0/1 

FastEthernetO/1 

Rx: EAPOL EAPOL EAPOL EAPOL EAP EAP 
Start Logoff Invalid Total Resp/Id Resp/Oth 

0 0 0 0 0 0 0 

Last Last 

EAPOLVer EAPOLSrc 
0 0000 . 0000.0000 

Tx: EAPOL EAP EAP 

Total Req/Id Req/Oth 
2 0 0 

Lab 11 Configurations 
Swl Configuration 

Swl#show running-config 
Building configuration... 

Current configuration : 3956 bytes 
! 

version 12.1 
no service pad 

corv/iro Hmocfa mnc rlohi in 11nfimo 


EAP 

Le n E rro r 



service timestamps log uptime 
no service password-encryption 
! 

hostname Swl 
! 

no logging console 
aaa new-model 

aaa authentication login default local 
aaa authentication enable default enable 
aaa authentication dotlx default group radius 
aaa authorization network default group radius 
enable secret 5 $l$3Dc3$/wfl_heMTalRMjokszyF8K/ 

! 

username catalyst privilege 15 secret 5 $l$r5Rt$WSspCtMNiorq8cx65fGqiO 
ip subnet-zero 
vtp domain CISCO 
vtp mode transparent 
! 

spanning-tree mode pvst 
no spanning-tree optimize bpdu transmission 
spanning-tree extend system-id 
! 

! 

vlan 2020 
name 802-1X-VLAN 
! 

interface FastEthernetO/1 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/2 
switchport access vlan 2020 
switchport mode access 


no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/3 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/4 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/5 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/6 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/7 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/8 
switchport access vlan 2020 



switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/9 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernet0/10 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/11 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/12 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/13 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 


interface FastEthernetO/14 



switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/15 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/16 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/17 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/18 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/19 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 



interface FastEthernet0/20 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/21 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/22 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/23 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface FastEthernetO/24 
switchport access vlan 2020 
switchport mode access 
no ip address 
dotlx port-control auto 
! 

interface GigabitEthernetO/1 
no ip address 
! 

interface GigabitEthernetO/2 
no ip address 



interface Vlanl 


no ip address 
no ip route-cache 
shutdown 
! 

interface Vlan2020 

ip address 192.168.1.1 255.255.255.0 
no ip route-cache 
! 

ip http server 
! 

radius-server host 192.168.1.254 auth-port 1812 acct-port 1813 key dotlx 
radius-server retransmit 3 
! 

line con 0 
line vty 5 15 
! 

end 
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